IE7: 22 hours to catch a phish

It is now 24 hours since I received an obvious phishing email in my inbox and reported it through both IE7 and FireFox 2.0. Two hours ago, IE7 still said, “This is not a reported phishing website”. Now it’s finally made it:

If this is typical, then the IE7 phishing filter is little use. Phishing sites don’t last long, usually only a few days. Most victims will click that link the moment it turns up in their inbox, not a day later. Speed is of the essence. After 22 hours, most of the damage will already have been done.

Actually, the IE7 phishing filter could be worse than useless. The message, “This is not a reported phishing website” imparts a false sense of security, making it more likely that someone will tap in their personal information.

Checking again in Firefox, it now catches the phish on its downloaded-list settings, which is the default. Using the dynamic query option in Firefox caught it earlier, but even that won’t catch a brand new phish.

Let me add that anyone clicking one of these links is ignoring plentiful advice from banks and from the media; and in this case the lack of an SSL connection is another sure-fire indication that this is a forgery. But some phishing attempts are cleverly phrased, making you think that someone has placed an order in your name, or hacked your paypal account, or damaged your eBay reputation. In the heat of the moment, it is easy to make mistakes.

Conclusion: Don’t rely on phishing filters to protect you; and if you want to use the one in FireFox, turn on dynamic queries (which means sending a record of your browsing activity to Google).

6 thoughts on “IE7: 22 hours to catch a phish”

I’m a sysadmin and I’m experimenting today trying to beat my users to the punch by exploring phishing sites.

I’m happy to see you’ve done the heavy lifting Tim. But when re-enacting your experiment here, I took what URL was visible and entered it into the address bar for IE7 and Firefox. Now, I had to do some drilling down to get to the root webpage – please understand this is a “rough and ready test” while I’m experimenting.

Since you’d reported it, I thought it would be a sure bet to be reported as a phishing site. But IE7 let me through as your original test. Firefox / Google did report it as a phishing site.

I’ve reported the page I encountered and I’m also waiting for it to get reported.

I read the on phishing which gave me an overview but it’s left me wanting more..

I’m curious: Is this going to be a battle of escalation where small changes are invalidating the phishing filter? Or has the page been reported in Google and I’m only half way through the life-cycle?

This isn’t what I was expecting. I thought it would be universally reported as a phishing site. I’ll stay in touch and keep you up to date with my findings.

I’m surprised too. I’ve just been back to the site and IE7 still reports it to me as a phishing site. Maybe a temporary glitch in Microsoft’s phishing check server?

No… I think I may have it. When you put in the partial url, you don’t get the phishing page. You get (at the time of writing) an apache directory listing. The phishing page is listed; it has the curious name “sessiondid=233545489..”.

If I go to the actual page, both IE7 and FireFox report it. But if I go to the directory listing, FireFox reports it, IE7 does not. Is that the difference here?

You’re correct, I got to it via the directory listing. IE is not reporting the directory listing either.

Now I’m thinking it’s just a matter of the time between you’re report and my finding it and hopefully it’ll get reported as a phishing site promptly. To me, at least, this is indicating that the idea of a heuristic scan based on “bank pin” and “account number” etc. etc. might be a very useful tool.